European Commissioner Neelie Kroes recently described the use of Flash cookies for some purposes as illegal under European law. Her statement followed the introduction of multiple lawsuits in the U.S. against companies including Specific Media and Quantcast.
Indeed, there would seem to be a wave of concern about the use of Flash cookies for online ad targeting purposes. That concern has been expressed not only by regulators, consumers, and privacy advocates, but by ad industry members themselves.
Since June, numerous U.S. lawsuits have been filed against behavioral targeting companies, including Specific Media and Quantcast, and publishers using such technologies, such as Fox Entertainment Group and NBC Universal. The suits specifically highlight the use of Flash cookies to recreate, or “re-spawn,” HTML cookies – which are used to store information on users’ browsing history and to target ads based on their interests.
The issue for companies using HTML cookies for targeting purposes is that users can easily delete them, erasing the profile information stored about them and diminishing the value of an ad impression served to that user. To combat this, some behavioral ad networks have been “backing up,” these cookies through other mechanisms – including Flash cookies and other “locally stored objects” – allowing them to be restored at a later date without users’ knowledge or consent. The suits argue this breaches various U.S. computer crime and privacy laws.
Meanwhile in Europe, Neelie Kroes, VP of the European Commission and European Digital Agenda Commissioner, has plainly stated such practices violate European law. Addressing industry members at an online advertising roundtable event in Brussels last week, Kroes said, “I would expect from you a clear condemnation of illegal practices which are unfortunately still taking place, such as ‘re-spawning’ of standard HTTP cookies against the explicit wishes of users.”
Adobe, the manufacturer responsible for the Flash video format, and hence the related cookies, says it does not condone their use for the reconstruction of HTML cookies, and that it offers tools to easily manage and delete them. The cookies were intended simply to store users’ preferences for the plug-in, such as volume settings, for example. Most users, however, are unaware that these cookies exist.
“Basically it works by storing information about the cookie in varying different places both on the browser and the user’s local store. This means that if the user deletes their cookies – and even their Flash cookies – any of the remaining stores can recreate the others at any time, thus rendering the user’s desire for privacy and control useless…This is exactly the kind of technology that scares privacy pundits and industry insiders, and reinforces the concept that the ad industry needs to all come out and agree that it will not use tracking technologies unless they are transparent and in the user’s complete control.”
Indeed, privacy advocates agree. Alexander Hanff of U.K.-based privacy advocacy group Privacy International said the practices were not only deceptive and unethical, but also potentially illegal.
“If a consumer removes or blocks a cookie from their system then a company has to respect that; if they then go and use surreptitious methods to reinstall that cookie against the consumer’s will they are committing an offense,” he told ClickZ. “In the U.K., in my opinion, this would be a clear case of an offense under the Computer Misuse Act at the very least.”
The U.S. suits against Specific Media and Quantcast were both filed in California by a Texas-based lawyer named Joseph Malley. Malley was also involved with Facebook’s high-profile settlement over its Beacon advertising platform, according to reports by ZDNet. Malley did not return requests for comment for this story.